Privacy Policy

Effective Date: May 23, 2024

Introduction

Welcome to the Pathway Software (UK) Limited's privacy policy.

Pathway Software (UK) Limited (“we” or the “Company”) Company is committed to protecting and respecting the privacy of all our customers, partners and end users of our Services.

This Privacy Policy will inform you as to how we collect, use, share, and protect information, including your Personal Data, when you interact with our main website (www.writeupp.com) or our mobile apps or use our services. This Privacy Policy will also inform you about your privacy rights and how the law protects you. By using or accessing the website, mobile app, or services, you are accepting the practices described in this Privacy Policy and our processing of your information as described below.

In this Privacy Policy, we explain the following:

• Definitions, important information, and who we are
• The kind of Information we collect
• How we will use Personal Data
• How we share Personal Data
• How we protect and store Personal Data
• Data Retention
• Your rights as a Data Subject
• Children's Information
• How to contact us

Important information, Definitions, and who we are

Definitions

In this policy, the following words have the following meanings:

• Customer includes the following (a) customers who have entered into a contract with us for the supply of the Services and WriteUpp (b) customers who have subscribed for a trial of our Services and WriteUpp, in both cases in accordance with our Terms of Service. For clarity, Customer means both a customer and its Staff.
• Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
• Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which applies to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications)..
• UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK, including the General Data Protection Regulation ((EU) 2016/679) (UK GDPR); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
• Patients mean the Customer's patients.
• Patients Data means the Personal Data of Patients, including clinical notes and assessments.
• Personal Data means any information relating to an identified natural person that is processed by the Company as a result of, or in connection with, the provision of the Services or our Site; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• ICO means the Information Commissioner’s Office and any successor to it as data protection authority.
• Us, Our, We or Company means Pathway Software (UK) Limited and our Staff.
  You, Your means you as an individual Patient or User, or your organisation and its Staff.
• Services or WriteUpp means the software provided and developed by the Company which may be supplied to you, as well as all associated services including emails we send, social media accounts, and any websites or other online services provided by the Company in connection with the software. Use of the Services we provide is governed by our Terms of Service.
• Standard Contractual Clauses (SCC) are the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers) as set out in the Annex to Commission Decision 2010/87/EU.
• Staff means your or our employees, workers, agents and sub-contractors, as applicable.
• Site means the Company's website at https://www.writeupp.com. Use of our site is governed by our Terms of Website Use.
• Site User means a visitor to the Site, whether or not such visitor is a Customer.

Purpose of this Privacy Policy

This policy, together with:

• our Terms of Use, applicable to your use of our website (our Terms of Website Use); and
• our Terms of Service applicable to your use of the Services where you are our Customer (our Terms of Service), including the Acceptable Use policy found within our Terms of Service (our Acceptable Use Policy)

and any other documents referred to in the Terms of Service and/or the Acceptable Use Policy sets out the basis on which any Personal Data the Company collects from you or that you provide to the Company, whether through this Site or when you use our Services will be processed by us.

The Site is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this Privacy Policy together with any other Privacy Policy or fair processing policy we may provide on specific occasions when you are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

Our Privacy Policy does not apply to services offered by other companies or individuals, including products or sites that may be displayed to you, or other sites linked from our services. Our Privacy Policy does not cover the information practices of other companies and organizations who advertise our services, and who may use cookies, pixel tags and other technologies to serve and offer relevant ads.

Changes to the Privacy Policy and your duty to inform us of changes

We keep our Privacy Policy under regular review. We may change this policy from time to time to take account of:

• changes to Data Protection Legislation and other laws which may affect this policy;
• guidance issued by the ICO and others;
• issues raised by our Customers, partners and end users

Accordingly, we suggest that you regularly check this page to ensure that you continue to be comfortable with the measures that we are taking to protect your privacy.

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

The Kind of Information we collect

The type of information we collect varies depending on whether an individual is a Customer, a Patient, or a Site User (that is, someone who visits the Site but is not a Customer).

1. Customer Data:

This section applies to information our Customers give us about you and your Staff in connection with our provision of the Services. This information may include:

• Identity Data including name, username;
• Contact Data including address, email address and telephone number
• Transaction Data including payment information and history of payments to and from you and other details of products and services you have purchased from us.
• Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
• Usage Data including information about how you use or interact with the Site or our Services (such as the pages visited, links clicked, non-sensitive text entered, mouse movements, referring URL).
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We use different methods to collect data from and about you including through:

• Direct interactions. You provide our Company with most of the data we collect. You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes Personal Data of you or your Staff that you provide when you:
• Visit our Site;
• Use our Services;
• Use WriteUpp;
• Correspond with us by filling in forms, post, phone, e-mail or otherwise;
• Request marketing to be sent to you;
• Participate in any discussion boards or other social media functions on our Site;
• submit an enquiry to us regarding our products and/or Services whether by telephone, email, via our website or other channel;
• register a profile, complete surveys, or tell us about any problems with our Site;
• submit material for publication on our website (whether in discussion boards, chat rooms or other social media platforms our website);
• subscribe for any newsletter or publication we may supply.
• Automated technologies or interactions. As you interact with our website, we will automatically collect Technical [and Usage] Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies, which may be operated by our partners who assist us in serving ads or providing other services to you. We may also receive Technical [and Usage] Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
• Third parties or publicly available sources. Third parties or publicly available sources. We will receive Personal Data about you from various third parties as set out below:
  • Usage data. Personal Data is collected by Raygun – error and performance monitoring for WriteUpp.

2. Patient Data:

For Patients of a Customer, the Company is acting as a service provider (or processor) to the Customer for the Services. We collect information on the direction of Customers, and have no direct relationship with the Patients whose information we process.

This section applies to information a Customer enters into WriteUpp about its Patients when using WriteUpp, which we may process when providing our Services to Customers. Please note that the Company requests all Customers provide notice to their Patients that they use our Services. Patient Data we collect may include, but is not limited to:

• Name
• Address
• Email address
• Landline & Mobile Number
• Insurer details
• GP details
• Medical records
• Treatment plans
• Letters & documentation
• Communications with other healthcare professionals; and
• Other information necessary for the operation of the Services and/or WriteUpp.

This Patient Data may be supplied to us by you when you:

• Use our Services in the course of your business;
• Use WriteUpp in the course of your business; or
• when you report a problem with our Site.

3. Site User Data:

This section applies to information we may process relating to all Site Users, whether or not a Site User is also a Customer. Site User Data may include:

• Technical Data including your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Usage Data including information about how you use or interact with the Site or our Services (such as the pages visited, links clicked, non-sensitive text entered, mouse movements, referring URL).

As you interact with our website, we will automatically collect Technical [and Usage] Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies, which may be operated by our partners who assist us in serving ads or providing other services to you. We may also receive Technical [or Usage] Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.

How we will use personal data

Lawful Basis for the Company's processing activities.

In this privacy policy, the following terms have the following meanings:

• Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (please see the “How to Contact Us” section).
• Performance of Contract means processing your Personal Data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
• Comply with a legal obligation means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to.

When the Company processes Personal Data, whether as Data Controller or as Data Processor, we will rely on the following lawful grounds for processing of each of the categories of data identified above.

The Company may use your data and information in the following ways:

1. Customer Data

We have set out below, in a table format, a description of all the ways we may use Customer Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may have more than one lawful ground for processing your Personal Data depending on the specific purpose for which we are using such data. Please contact us if you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been set out in the table below.

Generally, we do not rely on consent as a legal basis for processing your Personal Data although we will get your consent before sending third- party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by following the opt-out links on any marketing message sent to you.

2. Patient Data:

The following are our legal bases for our processing of Patient Data:

• you have obtained all necessary and appropriate consent from the Patient/data subject in accordance with Data Protection Legislation;
• Our processing of Patient Data is necessary for your use of WriteUpp, our provision of the Services to you, and for our performance of under the contract with the Customers whose Patients' Data is provided to us; and/or
• Your legitimate interests, namely the provision of your services to your Patients with the assistance of the Services.

Patient Data may be processed by the Company for the purposes of:

• storing Patient Data on WriteUpp;
• storing Patient Data on our servers;
• supplying you with our products and Services;
• enabling and assisting us to comply with all legal, regulatory and compliance obligations to which we are subject; and
• ensuring the security of our Services, maintaining back-ups of our databases.

If you fail to provide personal information

If you, the Customer, fail to provide certain information when requested, the Company may not be able to perform the Services and any contract we have entered into with you or we may be prevented from complying with our legal obligations.

3. Site User Data:

The legal basis for this processing is because it is necessary for the following legitimate interests:

• Running our business, provision of administration and IT services, and network security;
• Defining types of customers for our products and services; and
• Growing our business, informing our marketing strategy, and keeping our website updated and relevant.

Site User Data may be processed by the Company for the purposes of:

• Administering and protecting our business and the Site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
• Delivering relevant website content and advertisements to you and measuring or understanding the effectiveness of the advertising we serve to you; and
• Using data analytics to improve the Site, our products/services, marketing, customer relationships and experiences.

Change of purpose

Where we are Data Controller (in respect of Customer Data only): the Company will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Where we are Data Processor: the Company will only process Patient Data in accordance with the conditions for processing set out in this policy. We shall only process Patient Data relevant to a particular Customer’s Patients, while our contract with the Customer is continuing and shall cease such processing (a) when requested by the Customer (b) on termination of the contract (c) on cancellation of the contract; or (d) at the request of the data subject.

Marketing

We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your Personal Data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.

Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of service purchase, service experience or other transactions.

How we share Personal Data

You agree that the Company has the right to share Customer Data (but not Patient Data) with:

• Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
• Selected external third parties including:
• business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you (including third party IT providers, hosting and back-up service providers);
• Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services; and
• third party service providers who assist us with our activities, such as hosting providers, and other IT or payment service providers, may also have access to Personal Data held by us and may use this information on our behalf
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
• Other third parties:
• if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Website Use, our Terms of Service, our Acceptable Use Policy, and other agreements;
• to protect the rights, property, or safety of the Company, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; or
• to assist us in improving our products and Services. We monitor aggregated data that is collected by our Service and may share aggregated with third parties collectively and in an anonymous way. This data will not reveal personal information.

We will not sell, rent or share Customer Data or Patient Data with third parties in other ways without your consent unless we are entitled by law to do so.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

How we protect and store Personal Data

We may hold Personal Data in electronic databases, such as our customer relationship management system. We take all reasonable steps to keep any Personal Data we hold about you (and your Patients) secure.

All information which is provided to, or collected by, the Company is:

• Stored on the Company's secure servers within the United Kingdom and the European Union (EU), namely Dublin and Amsterdam.
• Hosted on secure data centre managed by our hosting partner with 24/7 manned security, CCTV, biometric access to the facility and restrictive access to the internals of the building based on authorisation levels.

International transfers

Many of our external third parties are based outside the UK so their processing of your Personal Data will involve a transfer of Personal Data from the UK to another country.

We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data. If a country is not deemed to provide an adequate level of protection for Personal Data, we will ensure that appropriate safeguards and transfer mechanisms are in place.

European Union (“EU”) data protection rules apply to the European Economic Area (“EEA”), which includes all EU countries and the non-EU countries of Iceland, Liechtenstein and Norway.

Please contact us (please see our “How to Contact Us” section) if you want further information on the specific mechanism used by us when transferring your Personal Data out of the UK.

Data Security

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected Personal Data Breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Passwords and Security

Where the Company has given you (or where you have chosen) a password which enables you to access your account, you are responsible for keeping this password confidential. The Company asks you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although the Company will do its best to protect your Personal Data, the Company cannot guarantee the security of your data transmitted via the Site; any transmission is at your own risk. Once the Company has received your information, the Company will use strict procedures and security features to try to prevent unauthorised access.

Data Retention

How long the Company will Retain Personal Data

1. Customer Data

The Company will retain Customer Data for:

• as long as we are providing the Services to you;
• for a period of at least six (6) years from the date the Services end.

We may also retain Customer Data for longer periods of time where such retention is necessary for us to comply with a legal obligation, or in order to protect your vital interests or the vital interests of another natural person.

2. Patient Data

The Company will retain Patient Data for:

• as long as we are providing the Services to the Customer who provided the Patient Data to us;
• a maximum period of forty-five (45) days from the date the Services end.

3. Site User Data

The Company will retain Site User Data for: as long as we are providing the Site.

Backups

You acknowledge and agree that: (a) we may perform weekly backups of the Patient Data held in connection with your of our Services; (b) such backups will be retained on our backup systems for 2 years; and (c) for technical and operational reasons, the backup data cannot be deleted before the expiry of that 2-year period.

The backup data is stored in binary form and is anonymized. The data within the backups does not contain any fields or data in those fields and is non-readable by humans. The backups can only be restored and made readable again using certain backup restoration tools provided by our infrastructure provider, access to which is limited to only certain senior people in our business. There are also security measures in place (including two-factor authentication) to protect against unauthorised access to or restoration of the backup data.

Your rights as a Data Subject

Under certain circumstances, if you are an individual in respect of whom the Company processes Personal Data, you have the following rights. Please note that this is a summary of your rights. If you wish to understand your rights in detail you should read the relevant laws, guidance and regulations for a fuller explanation.

You have the right to:

• Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it. We will supply the data free of charge but we reserve the right to charge a reasonable fee (or refuse to act on the request) if you request additional copies of the information, if access requests are unfounded or excessive.
• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (ico.org.uk/make-a-complaint). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Residents in the EEA and Switzerland, have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for data protection authorities are available here.

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights listed above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.

Links

The Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Please note that we do not control these third-party websites, which may have their own privacy policies, and that we are not responsible for their privacy statements. When you leave our Site, we encourage you to read the policy statement of every website you visit.

Children's Information

We recognize the need to provide further privacy protections with respect to personal information we may collect from children on our Site. When we intend to collect personal information from children, we take additional steps to protect children's privacy, including:

• Notifying parents about our information practices with regard to children, including the types of personal information we may collect from children, the uses to which we may put that information, and whether and with whom we may share that information;
• In accordance with applicable law, and our practices, obtaining consent from parents for the collection of personal information from their children, or for sending information about our Services directly to their children;
• Limiting our collection of personal information from children to no more than is reasonably necessary to participate in an online activity; and
• Giving parents access or the ability to request access to personal information we have collected from their children and the ability to request that the personal information be changed or deleted.

How to contact us

Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to support@writeupp.com.

If you have any questions or have a complaint about this Privacy Policy please let us know immediately.

To individuals situated in the EU, please contact us directly in regards to requesting your individual rights, alternatively we have instructed Verasafe Ireland Limited as our EU Representative in accordance with Article 27 of the GDPR for EU supervisory authorities and EU citizens (contact details below).

Post: Verasafe Ireland Limited, Unit 3D North Point House, North Point House, North Point Business Park, New Mallow Road, Cork, T23 ATZP.

Company Information

Pathway Software
85 Watergate Street
Chester
CH1 2LF